1 / 82

National Strategy for Trusted Identities in Cyberspace Applicant’s Webinar 25 April 2013

National Strategy for Trusted Identities in Cyberspace Applicant’s Webinar 25 April 2013.

moesha
Télécharger la présentation

National Strategy for Trusted Identities in Cyberspace Applicant’s Webinar 25 April 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. National Strategy for Trusted Identities in CyberspaceApplicant’s Webinar25 April 2013

  2. Agenda2:00 NSTIC Overview and Status UpdateJeremy Grant, Senior Executive Advisor for Identity Management 2:20 Trusted Online Credentials for Accessing Government Services – Purpose and ScopeJeremy Grant, Senior Executive Advisor for Identity Management2:50 Overview of the Pilot Projects Federal Funding OpportunityMichael Garcia, Deputy Director, NSTIC 3:10 Administrative RequirementsBarbara Cuthill, NSTIC Grants Lead3:30 Questions and AnswersJeremy Grant, Senior Executive Advisor for Identity Management

  3. National Strategy for Trusted Identities in CyberspaceJeremy Grant Senior Executive Advisor, Identity Management National Institute of Standards and Technology (NIST)

  4. What is NSTIC? Called for in President’s Cyberspace Policy Review (May 2009): a “cybersecurity focused identity management vision and strategy…that addresses privacy and civil-liberties interests, leveraging privacy-enhancing technologies for the nation.” Guiding Principles • Privacy-Enhancing and Voluntary • Secure and Resilient • Interoperable • Cost-Effective and Easy To Use NSTIC calls for an Identity Ecosystem, “an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.”

  5. The Problem Today Usernames and passwords are broken • Most people have 25 different passwords, or use the same one over and over • Even strong passwords are vulnerable…criminals have many paths to easily capture “keys to the kingdom” • Rising costs of identity theft • 11.6M U.S. victims (+13% YoY) in 2011 at a cost of $37 billion • 67% increase in # of Americans impacted by data breaches in 2011 (Source: Javelin Strategy & Research) • A common vector of attack • Sony Playstation, Zappos, Lulzsec, LinkedIn, among dozens of 2011-12 breaches tied to passwords.

  6. The Problem Today 2011: 5 of the top 6 attack vectors are tied to passwords 2010: 4of the top 10 Source: 2012 Data Breach Investigations Report, Verizon and USSS

  7. The Problem Today Identities are difficult to verify over the internet • Numerous government services still must be conducted in person or by mail, leading to continual rising costs for state, local and federal governments • Electronic health records could save billions, but can’t move forward without solving authentication challenge for providers and individuals • Many transactions, such as signing an auto loan or a mortgage, are still considered too risky to conduct online due to liability risks

  8. The Problem Today Privacy remains a challenge • Individuals often must provide more personally identifiable information (PII) than necessary for a particular transaction • This data is often stored, creating “honey pots” of information for cybercriminals to pursue • Individuals have few practical means to control use of their information

  9. Privacy: Increasingly Complex as Volumes of Personal Data Grow Source: World Economic Forum, “Rethinking Personal Data: Strengthening Trust,” May 2012

  10. Trusted Identities provide a foundation • Enable new types of transactions online • Reduce costs for sensitive transactions • Improve customer experiences • Offer citizens more control over when and how data is revealed • Share minimal amount of information • Fight cybercrime and identity theft • Increased consumer confidence

  11. January 1, 2016 The Identity Ecosystem: Individuals can choose among multiple identity providers and digital credentials for convenient, secure, and privacy-enhancing transactions anywhere, anytime. Online shopping with minimal sharing of PII Apply for mortgage online with e-signature Cost-effectiveand easy to use Privacy-enhancing Secure Interoperable Trustworthy critical service delivery Secure Sign-On to state website Security ‘built-into’ system to reduce user error Privately post location to her friends

  12. We've proven that Trusted Identities matter

  13. What does NSTIC call for?

  14. NSTIC National Program Office (NPO) • Charged with leading day-to-day coordination across government and the private sector in implementing NSTIC • Funded with $16.5M for FY13

  15. Key Implementation Steps

  16. National Strategy for Trusted Identities in CyberspaceTrusted Online Credentials for Accessing Government Services – Purpose and Scope Jeremy Grant Senior Executive Advisor, Identity Management National Institute of Standards and Technology (NIST)

  17. Pilot Overview Purpose • Advance the NSTIC vision, objectives, and guiding principles. • Demonstrate innovative frameworks that can provide a foundation for the Identity Ecosystem, and tackle barriers that have, to date, impeded the Identity Ecosystem from being fully realized. • Enable state and local governments to effectively shift eligibility and enrollment processes for services to a virtual environment, through secure identity verification solutions, to support convenient customer access and program integrity across different services and agencies

  18. Pilot Overview “Make something happen that otherwise would not” • Pilots should test or demonstrate new solutions, models or frameworks that do not exist or are not widely adopted in the marketplace today… • … and that would be unlikely to be widely adopted in a timely manner – at least in a way that supports NSTIC – without this pilot funding

  19. Partnership Fund for Program Integrity Innovation • The Partnership Fund seeks innovative ideas for improving the stewardship of federal dollars to create an efficient, effective government model for the 21st century. • Using funds appropriated by Congress, the Partnership Fund funds pilot projects and evaluations that test ideas for improving Federal Assistance Programs (e.g., SNAP, Medicaid) that are administered in cooperation with the states, or where Federal-state cooperation could otherwise be beneficial. • Website: http://www.partner4solutions.gov/

  20. Partnership Fund Success Measures • Reducing improper payments • Improving administrative efficiency • Improving service delivery • Protecting and improving program access for eligible beneficiaries

  21. Partnership Fund for Program Integrity Innovation What the Partnership Fund Does Not Do • The Partnership Fund is not a comprehensive initiative to modernize benefit delivery across all states. It will not supplant existing resources that state and Federal agencies already spend on program administration. • Furthermore, it will not interfere with current incentive arrangements that help states improve program integrity for specific programs. The Partnership Fund does not pre-empt existing program statutes. • Pilots that achieve savings primarily by imposing barriers to application, or otherwise reducing the participation of eligible beneficiaries, will not be funded.

  22. Funding • Up to $2.7 million may be made available in FY 2013 provided from OMB Partnership Fund • Expect two awards will be made • $1,250,000 to $1,350,000 per award • One year performance period

  23. Focus on Barriers Identity issues present major challenges to public benefits programs. Remaining significant barriers include: 1. Concerns about applicant and beneficiary privacy, such as concerns that identity proofing techniques may be too intrusive, as well as concerns that data collected will be inappropriately shared with other programs or parties. 2. Difficulties conducting identity proofing and ensuring that commonly-used identity proofing approaches can adequately cover 100% of the beneficiary population. 3. The high per-user costs of many identity solutions, some of which even exceed the budgets of agencies, particularly when the solution would only be used in a single service, as well as challenges demonstrating the ability to show how costs could be recovered. 4. Security challenges faced by some states in demonstrating an ability to securely store sensitive information.

  24. Focus on Barriers • Pilots provide creative solutions to overcoming barriers. • Pilots demonstrate the feasibility of solutions consistent with the NSTIC vision and guiding principles. • Pilots provide foundation upon which Identity Ecosystem can be constructed.

  25. Priority for Interoperable Credentials Priority will be given to projects which : • Demonstrate the potential for interoperability of identity credentials issued in partnership with a private provider • Demonstrate the potential for interoperable credentials across both state and Federal programs. • Encourage partnerships between private sector providers and governments at all levels.

  26. Proprietary Solutions • Solutions may be vendor supplied proprietary solutions • NIST requires that the solutions be interoperable within the Identity Ecosystem • Not lock the applying agency or non-profit into a single solution • Approach must be replicable across multiple agencies, programs and jurisdictions

  27. National Strategy for Trusted Identities in Cyberspace Overview of the Federal Funding Opportunity Michael Garcia Deputy Director, NSTIC

  28. Contents • Eligibility • Cost-Share • Application Submission • Full Application Contents • Application Submission • Evaluation Criteria • Selection Factors • Evaluation Process

  29. Who is an eligible applicant? • State, local, and Indian tribal governments • Non-profit organizations located in the United States and its territories.

  30. Who is not eligible to lead a project? • Individuals • Federal government entities • Entities located outside U.S. • For-profit entities

  31. Cost-Share • Cost-share is not required

  32. Application Submission • All applications must be submitted through Grants.gov • Verify that your registration is up to date early! • Hardcopy, email or faxed applications will not be accepted. • Applications Due by 11:59 P.M. on May 16

  33. Application Contents • SF-424, Application for Federal Assistance • Same as for abbreviated application • SF-424A, Budget Information - Non-Construction Programs • Budget should reflect anticipated expenses for each year of the project of no more than two (2) years, considering all potential cost increases, including cost of living adjustments. • SF-424B, Assurances - Non-Construction Programs • CD-511, Certification Regarding Lobbying • SF-LLL, Disclosure of Lobbying Activities (if applicable)

  34. Full Application Contents – Cont. Full Technical Application • Word-processed document • No more than twenty-five (25) pages • Responsive to program description and evaluation criteria • Contains the following: Executive Summary Project Approach Statement of Work and Implementation Plan Project Impact Qualifications Budget Narrative 34

  35. Statement of Work and • Implementation Plan Discusses the specific proposed tasks Includes a schedule of measurable events and milestones Includes measurable performance objectives Can include a Gantt chart, Work Breakdown Structure or other format to present plan (not included in the page count) 35

  36. Letters • Letters of commitment to participate from third parties indicating their commitment to participate and what they will do: • Subawardees • Contractors • Other collaborators • Letters are outside the page count

  37. Evaluation Criteria • Adherence to NSTIC Guiding Principles (30 points) • Privacy-enhancing and voluntary (6 points) • Secure and resilient (6 points) • Interoperable (6 points) • Cost Effective and Easy to Use (6 points) • Integration of all 4 principles (6 points) • Contribution to the Identity Ecosystem (15 points) • Measurable Outcomes and Impacts (30 points) • Quality of Implementation Plan (15 points) • Resource Availability (10 points)

  38. Adherence to NSTIC Guiding Principles - • Privacy-enhancing and voluntary The envisioned Identity Ecosystem will mitigate privacy and civil liberties risks engendered by the capability for greater identification, tracking, and personal data aggregation. Such mitigation will be grounded in conformance to the Fair Information Practice Principles (FIPPs) (see Appendix A of NSTIC) in order to provide multi-faceted privacy protections.

  39. Adherence to NSTIC Guiding Principles - • Privacy-enhancing and voluntary (cont.) Reviewers will be looking for specific details on how privacy and civil liberties will be protected and how that protection will be implemented. In particular, reviewers will be looking for a demonstrated understanding of the privacy or civil liberties risks raised by the proposal and the appropriateness of mitigations for such risks, including:

  40. Adherence to NSTIC Guiding Principles - • Privacy-enhancing and voluntary (cont.) • How the proposal: • Addresses any collection, use, and disclosure or transmission of personal information; • Addresses when and in what manner users will be provided with information about how project participants (the project lead, contractors, subawardees and other collaborators) collect, use, disseminate, and maintain personal information, as well as how individuals can control their personal information and attributes; • Addresses why and for how long personal information will be retained, the appropriateness of the development of any new databases of personal information, as well as security measures for any such retention; • Minimizes retention of personal information; • Minimizes data aggregation and linkages across transactions;

  41. Adherence to NSTIC Guiding Principles - • Privacy-enhancing and voluntary (cont.) • How the proposal: (cont.) • Provides appropriate mechanisms to allow individuals to access, correct, and delete personal information; • Establishes accuracy standards for personal information used in identity assurance, authentication or authorization solutions; • Protects, transfers at the individual’s request, and securely destroys personal information when terminating business operations or overall participation in the Identity Ecosystem; • Accounts for how personal information is actually collected, used, disclosed or transmitted and retained, and provides mechanisms for compliance, audit, and verification; and • Provides effective redress mechanisms for, and advocacy on behalf of, individuals who believe their personal information may have been misused.

  42. Adherence to NSTIC Guiding Principles - • Privacy-enhancing and voluntary (cont.) • Identifying how FIPPs will be used to address the topics in section (i) above; whether they will be implemented by policy and/or technical measures; which project participant(s) will be responsible for the implementation; and supporting performance metrics for such implementations; and • Describing what role, if any, trust frameworks will play in the enforcement of a common privacy framework applicable to all project participants, including IdPs and RPs.

  43. Adherence to NSTIC Guiding Principles- Secure and Resilient Security ensures the confidentiality, integrity and availability of identity solutions, and the non-repudiation of transactions. Credentials are resilient when they can easily and in a timely manner recover from loss, compromise, or theft and can be effectively revoked or suspended in instances of misuse.In addition to credentials, information stores also need to be protected.

  44. Adherence to NSTIC Guiding Principles- Secure and Resilient (cont.) Reviewers will be looking for specific details on how solutions are secure and resilient.Examples of such details may include, but are not limited to: • How new or existing Trust Frameworks ensure all project participants adhere to appropriate, risk-based levels of security. • How solutions embrace security mechanisms that provide material security advances over the password-based regime dominant in the marketplace today. • How solutions will provide secure and reliable methods of electronic authentication. • How solutions demonstrate the integration of all major aspects of the project

  45. Adherence to NSTIC Guiding Principles- Interoperable Interoperability enables service providers to accept a variety of credentials and identity media and also supports identity portability enabling individuals to use a variety of credentials in asserting their digital identity to a service provider. Interoperability needs to go beyond standards conformity to address policy and procedural interoperability. Reviewers will be looking for proposals that foster the reduction and elimination of policy and technology silos. For instance, if the entity supplying the credential is the only entity accepting the credential then interoperability has not been demonstrated.

  46. Adherence to NSTIC Guiding Principles- Interoperable (cont.) Reviewers will be looking for specific details on how proposed solutions are interoperable.Examples of such details may include, but are not limited to: • How new or existing Trust Frameworks ensure all project participants adhere to common standards, policies, and rules and ensure proper and consistent treatment of personal data. • How solutions leverage existing standards and/or demonstrate the need for new standards and an ability to materially advance the development and adoption of new standards. • How solutions can be used across multiple sectors and RPs. • How individual credentials are simply and securely portable between RPs with appropriate notifications to individuals.

  47. Adherence to NSTIC Guiding Principles- Cost-effective and Easy to Use Identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training. This can be achieved with the thoughtful integration of usability principles and user-centered design. Many existing technology components in widespread use today (i.e., mobile phones, smart cards, and personal computing devices) can be leveraged to act as or contain a credential.

  48. Adherence to NSTIC Guiding Principles- Cost-effective and Easy to Use (cont.) Reviewers will be looking for specific details on how solutions are cost-effective and easy to use.Examples of such details may include, but are not limited to: • How new or existing Trust Frameworks can lower costs for all Identity Ecosystem stakeholders and erase barriers to usability. • How solutions do not present significant usability challenges. • How solutions propose innovative applications of technology that enhance usability, relative to current market solutions. • How costs per user are not prohibitive and can grow the Identity Ecosystem in accordance with the NSTIC’s four guiding principles (see Section I of this FFO). • How solutions lower barriers for user acceptance and can be easily incorporated into current user activities. • How service level agreements provide easy to understand opt-in choices for the consumer to use a service.

  49. Adherence to NSTIC Guiding Principles- Integration of All Four Guiding Principles Identity solutions should demonstrate that they implement all four guiding principles (a. through d. above) in an integrated manner.

  50. Contribution to Identity Ecosystem Identification of how the proposed trusted identity solution will move beyond the pilot phase to contribute more broadly to the Identity Ecosystem. Making this transition includes the ease with which the solution could be implemented elsewhere.

More Related